This module exports symbols that must be accessible only to trusted
code. By convention, the names of such symbols always end
"...TCB" (short for "trusted computing base"). In many cases, a
type is safe to export while its constructor is not. Hence, only the
constructor ends "TCB", while the type is re-exported to safe code
(without constructors) to from LIO.Core.

Security rests on the fact that untrusted code must be compiled with
-XSafe. Because this module is flagged unsafe, it cannot be
imported from safe modules.

The LIO monad is a wrapper around IO that keeps track of a
current label and current clearance. Safe code cannot execute
arbitrary IO actions from the LIO monad. However, trusted
runtime functions can use ioTCB to perform IO actions (which
they should only do after appropriately checking labels).

Privileged constructors

A newtype wrapper that can be used by trusted code to transform a
powerless description of privileges into actual privileges. The
constructor, PrivTCB, is dangerous as it allows creation of
arbitrary privileges. Hence it is only exported by the unsafe
module LIO.TCB. A safe way to create arbitrary privileges is to
call privInit (see LIO.Run) from the IO monad
before running your LIO computation.

Labeled l a is a value that associates a label of type l with
a pure value of type a. Labeled values allow users to label data
with a label other than the current label. Note that Labeled is
an instance of LabelOf, which means that only the contents of a
labeled value (the type t) is kept secret, not the label. Of
course, if you have a Labeled within a Labeled, then the label
on the inner value will be protected by the outer label.

Uncatchable exception type

An uncatchable exception hierarchy is used to terminate an
untrusted thread. Wrap the uncatchable exception in
UncatchableTCB before throwing it to the thread. runLIO will
subsequently unwrap the UncatchableTCB constructor.

Note this can be circumvented by mapException, which should be
made unsafe. In the interim, auditing untrusted code for this is
necessary.

It would be a security issue to make certain objects members of
the Show class. Nonetheless it is useful to be able to examine
such objects when debugging. The showTCB method can be used to
examine such objects.